New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
if metadata-complete = true servlet security annotations are still parsed #4234
Comments
@olamy see the Servlet Specification section 15.5.1:
The servlet spec defines "discoverable" annotations and "introspectable" annotations. Discoverable ones are those that are actively scanned-for by the container iff metadata-complete is false. The introspectable ones are those that must be looked at on a class when the class is going in to service, whether or not metadata-complete is true. I recall very long email threads about this in the servlet spec group back in servlet 3.0. AFAIK the agreed conclusion is that if metadata-complete == true, WebServlet, WebFilter and WebListener will not be discovered. But all other annotations that can be put on a class must be honoured: both for servlets/filters/listeners defined in web.xml/web-fragment.xml or added programmatically. @gregw is that your understanding? |
even our javadoc says to not parse in this case :) https://github.com/eclipse/jetty.project/blob/add8ffca5b8e7ebcb81ffff35b573f42ec52e217/jetty-annotations/src/main/java/org/eclipse/jetty/annotations/ServletSecurityAnnotationHandler.java#L53 |
Servlet specs says (so I'm lost :) )
|
…ete true Signed-off-by: olivier lamy <oliver.lamy@gmail.com>
@olamy yes, it is an extremely poorly defined and sometimes contradictory specification. When considering how to handle annotations that are not As for the comment in ServletSecurityAnnotationHandler - the implementation was trying to keep pace with the on-the-fly decisions of the servlet spec group, so I think that one is out-of-date, before the spec group decided that security annotations would have to be introspected and not discovered. All of which is not to say that we shouldn't change our implementation, but the question is - to what??! |
I will open a case in the TCK because our implementation currently break a TCK test. |
but reading https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf
|
@olamy more interesting is this part of the spec, about Security annotations:
Let me digest that prose and get back to you. |
Well ... having read and re-read the relevant section (13.4.1) I'm not sure it's any clearer :( So here's my understandings, but check with the servlet group experts/tck maintainers etc: In all cases, metadata-complete==true:
|
done |
Specs says
If “metadata-complete” is set to "true", the deployment tool MUST ignore any servlet annotations present in the class files of the application and web fragments
.Even ServletSecurityAnnotationHandler javadoc says
The text was updated successfully, but these errors were encountered: